Release Notes for Symantec Critical System Protection...

Release Notes for SymantecCritical System ProtectionVersion 5.2.8 MP4

Chapter 1 Release 5.2.8 MP4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About the Release Notes for Symantec Critical SystemProtection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About Symantec Critical System Protection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7What's new in release 5.2.8 MP4 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Additional platform support ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8vSphere Support Pack on Symantec Critical System Protection

5.2.8 MP4 CD Image .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9ITAnalytics Solution and ITAnalytics Pack for SymantecCritical

System Protection (available in mid July 2012) ... . . . . . . . . . . . . . . . . . . . . . 9Symantec Critical System Protection Planning and Deployment

Guide .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9The Bulkload Utility has been enhanced to support uploading of

multiple files to the Database .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Resolved issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Incorrect process paths for chrooted programs on Linux .... . . . . . . . . . . . 10Symantec Critical System Protection agent installation switch

-disableFim does not work .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Enabling RT-FIM driver on AIX may cause system crash .... . . . . . . . . . . . 12AIX Incoherent timestamps for IDS WtmpCollector events ... . . . . . . . . 12Silent agent installation failure due to kernel version mismatch

on RHEL 5.8 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Unexpected IPS behavior with the use of multiple optional

parameters in the prevention policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Policy translation error with out of the box policy using

mandatory reference lookup on empty registry value .... . . . . . . . . . 15Excessivememory usage by SISIDSService onWindowsDomain

Controllers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15High CPU usage by SISIDSService on Windows Domain

Controllers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16SISIDSService does not shut down cleanly under high Windows

Event log load .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Applying a large number of custom policies on agents prevents

new policy compilation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Conversion of varchar value throws an exception on Symantec

Critical System Protection Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Contents

Settings in the sis-server.properties ignored after aManagementServer upgrade .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Ordering of Rules in the IDS Baseline Policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18System deadlock or panic on Solaris Servers with Cluster

software .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18When exporting directories from a highly active NFS Server,

Symantec Critical System Protection IPS may cause Solaris9 and 10 to crash .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

IPS Driver causes high CPU and possible system crash when a32 bit Process executes a command with a long parameterlist on a 64-bit Linux platform .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

High CPU usage from processes with file operations on a largenumber of files in the /tmp (tmpfs) file system .... . . . . . . . . . . . . . . . . . . 20

Known issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21SCSPConsolewindowdoes not display any assets for the Custom

Policy Re-apply Policy Wizard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 2 Release 5.2.8 MP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

What's new in release 5.2.8 MP3 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Additional platform support ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23About copying alerts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Kill any process with Symantec Critical System Protection new

detection policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Tightened thread injection rules in the Windows policies ... . . . . . . . . . . . 24Option added in the template policies to record certain number

of events generated in a specified time interval ... . . . . . . . . . . . . . . . . . . 25Resolved issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

SISIDSRegDrv.sys blue screen error ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Policy updated .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Windowssystemperformancedegradationwithcirculardirectory

symbolic links ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Updated monitored file lists in the Unix Baseline policy ... . . . . . . . . . . . . . 26Continuous system restart or system startup failure ... . . . . . . . . . . . . . . . . . . 26Incorrect processing of alert filter with wildcard .... . . . . . . . . . . . . . . . . . . . . . . 27Incorrect parameter label in the Baseline detection policy ... . . . . . . . . . . 27Silent installation works as expected .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Support for optional modifier reference in a network rule ... . . . . . . . . . . 28Degraded systemperformance on systems running a significant

number of processes while Symantec Critical SystemProtection agent is installed .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Known issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Contents4

Symantec Critical System Protection does not record SUoperations logoff events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Local port parameter does not work for network outbound TCPconnection control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29


What's new in release 5.2.8 MP2 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Additional platform support ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Targeted prevention policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About the duplicate agent registration settings ... . . . . . . . . . . . . . . . . . . . . . . . . . 39Disabling duplicate agent registration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Resolved issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Systems with heavy network load experienced higher CPU

usage .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40The System_Failed_Access_Status policy now records the login

failure for batch job .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Root level failed telnet logon is now recorded by Symantec

Critical System Protection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41The continuous file change alerts donot occurwhenyouupgrade

the Symantec Critical SystemProtection 5.2.6MP2 agent toany new agent version .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

The Windows_template_policy allowed adding identical valueand comment entries in the filewatch list ... . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Symantec Critical System Protection detection service start orrestart triggered excessive filewatch events ... . . . . . . . . . . . . . . . . . . . . . . . 41

Blue screen error no longer occurs ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Symantec Critical System Protection policies now retain the

policy values after export and import ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42UserName information forWindowsEvent Log events no longer

appear blank .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Windows Detection Policy now provides the flexibility to add

date and time restrictions to each rule in System AuditTampering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Timeout dialog boxnowdisplays the console name it is connectedto .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Symantec Critical System Protection now displays the correctcount of registered agents in the System Summary queryresult ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Known issues ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Cannot use an optional user name reference in a network

rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5Contents

Successful FTP logons by root are not recorded by SymantecCritical System Protection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44


What's new in release 5.2.8 MP1 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45IDS features ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 5 Release 5.2 RU8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

What's new in release 5.2.RU8 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47IDS and IPS features ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47IPS features ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Additional release information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Logging of previous user ID to track privilege escalation on IPS

events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Use of Tomcat 5.5.33 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Restart required .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77You must upgrade Solaris x86 agents before you upgrade your

Symantec Critical System Protection management serversto release 5.2 RU8 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Microsoft SQL Server 2000 is no longer supported .... . . . . . . . . . . . . . . . . . . . 78Build ID version numbers are now synchronized .... . . . . . . . . . . . . . . . . . . . . . . 78

What you need to know before you install or upgrade yoursoftware .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Legal Notice ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Contents6

Release 5.2.8 MP4

This chapter includes the following topics:

■ About the Release Notes for Symantec Critical System Protection

■ About Symantec Critical System Protection

■ What's new in release 5.2.8 MP4

■ Resolved issues

■ Known issues

About theReleaseNotes for SymantecCritical SystemProtection

This document may be revised between releases, as new information becomesavailable. You can view the latest release notes and other information by clickingthe following link:

Symantec Critical System Protection Documentation

Review the Release Notes in their entirety before you install or deploy SymantecCritical SystemProtection, or call for technical support. This document describesknown issues and provides additional information that is not included in thestandard documentation or the online help.

About Symantec Critical System ProtectionWelcome to Symantec Critical System Protection, a flexible, multi-layer securitysolution for servers that detects abnormal system activities. Symantec CriticalSystem Protection prevents and blocks viruses and worms, hacking attacks, and

1Chapter

http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION

zero-day vulnerability attacks. Symantec Critical SystemProtection also hardenssystems, enforcing behavior-based security policies on clients and servers.

Symantec Critical System Protection includes a management console and servercomponents, and agent components that enforce policies on computers. Themanagement server andmanagement console runonWindowsoperating systems.The agent runs on Windows and UNIX operating systems.

Among Symantec Critical System Protection's key features are:

■ Predefined application policies for commonMicrosoft interactive applications

■ Out-of-the-box policies that continuously lock down the operating system,high-risk applications, and databases to prevent unauthorized executablesfrom being introduced and run

■ Microsoft Windows, Sun Solaris, IBM AIX, and Linux platform support

Among Symantec Critical System Protection's key benefits are:

■ Provides proactive, host-based security against day-zero attacks

■ Offers protection against buffer overflow and memory-based attacks

■ Helps to maintain compliance with security policies by providing granularcontrol over programs and data

What's new in release 5.2.8 MP4

Additional platform supportThe 5.2.8 MP4 release adds support for the following platforms:

Table 1-1 Platforms new for 5.2.8 MP4

Support for IPSSupport for IDSPlatform

-YesRed Hat Enterprise Linux 6.3 (64-bit)

YesYesSUSE Linux Enterprise Server 11 SP2(32-bit and 64-bit)

YesYesAIX 6.1 TL7 SP2

Release 5.2.8 MP4What's new in release 5.2.8 MP4

8

vSphere Support Pack on Symantec Critical System Protection 5.2.8MP4 CD Image

Symantec Critical SystemProtection vSphere Support pack 5.2.8-01 releasedwith5.2.8 MP3 was available as a downloadable package. The vSphere Support Packis now available on the Symantec Critical System Protection 5.2.8 MP4 CD Imageunder the packs folder as SCSPvSphereSupportPack-5.2.8-01.zip.

TheSymantecCritical SystemProtectionvSphereSupport Package leverages andextends existing Symantec Critical System Protection prevention and detectioncapabilities to address specific vSphere 5.0 applications and platforms. For moreinformation, see the Symantec Critical System Protection vSphere Support Pack5.2.8-01 Release Notes in the vSphere Support Pack.

IT Analytics Solution and IT Analytics Pack for Symantec Critical SystemProtection (available in mid July 2012)

ITAnalytics Solution software complements and expands upon the reporting thatis offered in many Symantec solutions. It brings multi-dimensional analysis androbust graphical reporting features to Symantec Management Platform.

The actual definitions for the cubes, reports, and dashboards are containedwithinthe IT Analytics Packs that align with the existing Symantec suites. Thesedefinitions provide the business value for IT Analytics Solution.

To install IT Analytics and IT Analytics for Symantec Critical System Protection,see the following documentation:

IT Analytics User Guide

You can install IT Analytics Solution from within the Symantec InstallationManager available on Symantec Critical System Protection 5.2.8. MP4 CD Imageunder tools/ITAnalytics/Symantec_sim_7_1_206.exe.

Symantec Critical System Protection Planning and Deployment GuideA Planning and Deployment Guide is now available for Symantec Critical SystemProtection. The guide briefly describes the Symantec Critical System Protectioncomponents and infrastructure. It discusses issues that you should considerwhenplanning an enterprise deployment. It discusses some of the important decisionsthat you need to make before you deploy in a production environment.

The Symantec Critical System Protection Planning and Deployment Guide isavailable on the following Web page:

Symantec Critical System Protection Documentation

9Release 5.2.8 MP4What's new in release 5.2.8 MP4

http://www.symantec.com/business/support/index?page=landing&key=52463

http://www.symantec.com/business/support/index?page=content&key=52463&channel=DOCUMENTATION

The Bulkload Utility has been enhanced to support uploading ofmultiple files to the Database

The Bulkload Utility has been enhanced in 5.2.8 MP4 to let you upload multipleevent log files at a single time with support for wildcard at the end of the path.The earlier version of the Bulkload Utility let you upload bulk log files from theserver to the database one log file at a time. This method became cumbersomewhen there were several files that needed to be uploaded. It previously requiredyou to run the utility multiple times.

The enhanced Bulkload Utility syntax is as follows:

bulkload [options] “eventFileList”

eventFileList is a list of agent log files separated by semicolons and placedwithindouble quotes. The event file list also supports the asterisk wildcard character atthe end of the path to fetch all event log files (compressed files) from a directory.

Table 1-2 Bulkload Utility options

DescriptionOption

The destination table (CSPEVENT or ANALYSIS_EVENT)[ANALYSIS_EVENT]

-t tableName

Force the load. Ignore mismatched file checksum andunknown agent GUID errors

-f

The original manager name for events from anotherSymantec Critical System Protection Server [NULL]

-m managerName

Following are some examples of typical command lines for the Bulkload Utility:

BULKLOAD-f-tCSPEVENT-mDMZ“F:\Agent01\foo1.zip;F:\Agent01\foo2.zip”

BULKLOAD -f -t CSPEVENT -m DMZ “F:\Agent01\foo2.zip;C:\Agent02\*

Resolved issues

Incorrect process paths for chrooted programs on LinuxFix ID: 2722370

The process paths in the Symantec Critical SystemProtection IPS driver on Linuxare incorrectly assigned for chrooted programs. These incorrect paths have theconsequence that chrooted processes on Linux may be inadvertently assigned tothe wrong process set, thereby subverting the intent of the prevention policy.

Release 5.2.8 MP4Resolved issues

10

When a new process is created, the IPS driver uses the context informationavailable inside the Linux kernel to reconstruct the absolute full path to theprocess’s on-disk image file.

For chrooted processes, there are two views to the full path:

■ The local view from the process perspective.

■ The global view from the root perspective.

For non-chrooted processes these two perspectives are identical. Since theSymantec Critical System Protection prevention policies are written from theglobal perspective, it is important that the IPS driver to switch its view to theglobal perspective when reconstructing paths for chrooted processes. Before thisrelease, there was a coding error that caused the IPS driver to use the localperspective during one step of process path reconstruction. Consequently, theprocess path reconstruction failed for chrooted processes and the driver assignedthe chrooted processes the path of the last non-chrooted ancestor /usr/bin/chroot.

The coding error in the IPS driver has been fixed and now the process paths arereconstructed correctly for chrooted processes on Linux.

Affected operating systems: Linux operating systems (chrooted processes only)

Affected Symantec Critical System Protection versions: Release 5.2.8 MP3 andearlier

Affected Symantec Critical System Protection policy: Unix prevention policies

Symantec Critical System Protection agent installation switch-disableFim does not work

Fix ID: 2755741

The Real-Time File Integrity Monitor feature is now available on AIX platforms.Since not all usersmaywant to deploy this feature, the Symantec Critical SystemProtection Agent installer for AIX accepts a -disableFim command line option.When the installer sees this option it sets an internal “FIM_ENABLE” flag to false.In previous releases, this internal flag was being inadvertently overwritten witha true value during later stages of the installation process causing the RT-FIMfeature to be enabled. The installer has been corrected to correctly process the-disableFim command line argument and not overwrite the FIM_ENABLE flag.

It should be noted that the Symantec Critical System Protection agent providesa post-installation mechanism to disable the RT-FIM feature by using thecommand: su - sisips -c ./sisipsconfig.sh -rtfim off. This workaroundalso works for earlier releases.

Affected operating systems: AIX operating systems

11Release 5.2.8 MP4Resolved issues

AffectedSymantecCritical SystemProtectionversions:Releases5.2.8MP1 through5.2.8 MP3

Affected Symantec Critical System Protection policy: Not Applicable

Enabling RT-FIM driver on AIX may cause system crashFix ID: 2740790

On AIX, enabling RT-FIM can cause a system crash.

If youhaveAIXAuditing facility enabled, this occurs during reboot after installingSymantec Critical System Protection with RT-FIM enabled or after enablingRT-FIM post-install. If you do not have AIX auditing facility enabled, a crashmaystill occur when RT-FIM is enabled. This may occur at reboot or during normaloperations.

Workaround: Disable the RT-FIM feature post-installation for earlier releases byusing the command: su - sisips -c ./sisipsconfig.sh -rtfim off

You must restart the system to remove the driver from the system completely.

Affected operating systems: AIX operating systems

AffectedSymantecCritical SystemProtectionversions:Releases5.2.8MP1 through5.2.8 MP3


AIX Incoherent timestamps for IDS WtmpCollector eventsFix ID: 2568121

Someof the failed login events fromthe IDSWtmpCollector onAIXhad timestampsfar into the future. This issue occurred because the offset pointer maintained bythe IDS WtmpCollector into the /etc/security/failedlogin file had becomeinadvertently misaligned. The WtmpCollector has been updated to do sanitychecks on event timestamps. Events with bad timestamps are now discarded andthe file offset pointer is reset to its proper position.

Affected operating systems: Unix operating systems




12

Silent agent installation failure due to kernel version mismatch onRHEL 5.8

Fix ID: 2726862

When 5.2.8 MP3 agent is installed in Silent Mode on RHEL 5.8, the install fails. Itis related to a warning that is associated with kernel version mismatch on RHEL5.8.When the agent is installed in the interactivemode, it gives the user awarningon the kernel mismatch but gives a choice to continue.

The kernel version mismatch issue has been fixed in 5.2.8 MP4 by adding explicitIPS support for RHEL5.8 2.6.18-308 kernel.

The workaround for previous releases was to use the check-bypass install option.

Bypassing prerequisite checks

The UNIX installation kit lets you bypass some of the prerequisite checks foragent installation. You can use this feature if you know the installation kitincorrectly fails a prerequisite. To enable the bypass prerequisite checks feature,run Touch as superuser by using the following command:

touch /etc/scsp-check-bypass

You can use the bypass prerequisite checks feature to bypass the followingprerequisite checks:

■ Verify that the installation kit is run by the root user.

■ Perform OS platform and version checks.

■ Perform package dependencies checks.

■ Perform file system and disk space usage checks.

When the bypass prerequisite checks feature is used, the installation kit displaysall errors and warnings about prerequisite check failures. However, instead ofterminating the installation, you may choose to continue. When you run theinstallation kit in interactive mode, you are prompted to continue with theinstallation. When you run the installation kit in Silent Mode , the prerequisitefailure is logged and the installation continues.

Affected operating systems: RHEL 5.8 (32-bit and 64-bit)

Affected Symantec Critical System Protection versions: Release 5.2.8 MP3



Unexpected IPS behavior with the use of multiple optional parametersin the prevention policies

Fix ID: 2685018

In the previous releases, the Symantec Critical System Protection agent-sidetranslator component incorrectly processed prevention policies that use optionalparameter values in a parameter list. If someparameter values exist on the systemand some do not, then undesired rules are introduced in the policy. This issuemanifests only when there are multiple items in the parameter list and some ofthe rules reference parameter values that do not exist and some rules referenceparameter values that exist.

The agent-side translator processes the following prevention policy configurationcorrectly:

A parameter list has two rules and one of the rules does not use any optionalvalues or has optional values but they all exist on the agent.

The agent-side translator processes the following prevention policy configurationincorrectly:

A parameter list has two rules with optional parameter values. The first rulecontains a value that exists on the agent, and the second rule contains a valuethat does not exist on the agent. Instead of the second rule being removed, thesecond rule remains and uses the corresponding value from the first rule.

This issue affects the following lists:

■ File Resource Lists with optional process attributes, such as Program, User,or Group.

■ Registry Resource Lists with optional process attributes, such as Program,User, or Group.

■ Process Control Lists (Custom Routing) with optional process attributes, suchas Program, User, or Group.

■ Any Optional List usage

This issue does not affect the following list:

■ Network Resource Lists

This issue has been fixed in 5.2. RU8 MP4.

Affected operating systems: All operating systems supporting IPS feature

Affected Symantec Critical System Protection version: Release 5.2.X through 5.2RU8 MP3

Affected Symantec Critical System Protection policy: All IPS policy versions


14

Policy translation error with out of the box policy using mandatoryreference lookup on empty registry value

Fix ID: 2597146

Out of the box prevention policies lookup registry values to obtain the installationpath of a particular application. These built-in lookups are guarded by autoconf,which are conditionals evaluated by the agent-side translator process. Once suchautoconf is "valueExists" that checks if a particular registry value exists at thesystemandguards references to registry value lookups. If the valueExists autoconfevaluates to true, the registry value reference is evaluated else the reference isomitted. In previous releases, the valueExists autoconf only checked for theexistence of a registry valuewithout checking for the data. The autoconf evaluatesto true even if the registry value has an empty string. As a result, if there is aleftover registry value that has an empty string due to an incomplete uninstall,and the reference to the registry value is guarded by a valueExists autoconf forthe same registry value, the autoconf returns true,When the translator componenttries to look up the registry value to get the data, since it is a mandatory lookup,it expects a non-empty string, and therefore it throws an error Referenceevaluated to an empty string and the policy fails to apply.

The agent-side translator component has been updated in 5.2.8 MP4 to returntrue for a valueExists autoconf only when the registry value has a non-emptydata. This prevents any policy translation errors from referencing these registryvalues in the policy.

Affected operating systems: Windows operating systems

Affected Symantec Critical System Protection version: Releases 5.2.X until 5.2RU8 MP3

Affected Symantec Critical System Protection policy: All Windows IPS policyversions

Excessive memory usage by SISIDSService on Windows DomainControllers

Fix ID: 2753207

The SISIDSService reads information from the Windows Eventlog events thatcontain User SID (Security Identifier) data. The SISIDSService maintains a cacheto store the User SID to lookup user names. This cache does not have any limit.As a result, the memory usage increases due to heavy internal caching of SID tousername pairs that is used to decode EventLog data. For Domain Controllers,servicing thousands of users, the cache can grow quite large rapidly resulting inincreased memory usage by the SISIDSService.


For the 5.2.8MP4 release, amaximumsize limit is set for the SISIDSService cache.Also, a Least Recently Used (LRU) mechanism is added to pick the element thatneeds to be removed from the cache once the cache reaches its maximum sizelimit. This resolves the excessive memory usage issue for the SISIDSService onWindows Domain Controllers.




High CPU usage by SISIDSService on Windows Domain ControllersFix ID: 2754489

The SISIDSService contains a codepath that captures successful domain logins.In previous releases, this codepath suffered froman inefficient logic that executedrepeated LoadLibrary on the same libraries for every single EventLog event oftype configured in the IDSpolicy. Onbusy domain controllerswith ahighnumberof login/logoff events, this resulted in a high CPU usage for the SISIDSService.

This coding error has been resolved in 5.2.8 MP4.




SISIDSService does not shut down cleanly under high Windows Eventlog load

Fix ID: 2753218

A component of SISIDSService, IDS EventLog collector was not checking forshutdown notifications until it reached an EOF for the event log files. As a result,the SISIDSService would not shut down from the Service Control Manager andhad to be force terminated from the TaskManager. The issue appears when thereis a continuous stream of new records in the Windows Event Log.

This issue has been resolved in 5.2.8 MP4. Now, the SISIDSService checks forshutdown after each event log record is processed and aborts processing furtherrecords if it needs to shut down.



16



Applying a large number of custom policies on agents prevents newpolicy compilation

Fix ID: 2707487

In 5.2.6 release, when custom policies were first introduced, there was a limit ofabout 20 custom policies that an Symantec Critical System Protection agent canpick up from its groups in the Symantec Critical System Protection Console.Anything over that limit caused the Symantec Critical System Protection agentto stay flagged andnever have thepolicy applied until someof the custompolicieswere removed to lower the count to below 20. The limit was introduced based onhow the server would generate the UID for a set of custom policies. Now, the UIDcreation has been modified to allow as many custom policies to be created. Theissue that caused Symantec Critical System Protection to stop compiling newpolicies when you apply a large number (more than 21) of custom policies is fixednow.


Affected Symantec Critical System Protection versions: Release 5.2.6 through5.2.8 MP3


Conversion of varchar value throws an exception on Symantec CriticalSystem Protection Server

Fix ID: 2662917

Whenever agents send events with corrupt data, for example, a number as largeas (2^32)-1, Symantec Critical System Protection Server fails to process it. Thenit throws a BatchUpdateException exception – The conversion of the varcharvalue 2147542573 overflowed an int column. Such errors are reported only in thecaseswhen the baddata is stored to the database columnof type int,which cannottake values larger than 2^31. An example where this was an issuewas if the eventsequence number coming from agents was generated with such high values thatit resulted in an integer overflow. In such scenarios, no more agent events witha such a sequence number can be accepted.

This issue has been addressed by updating the stored procedure for the database.





Settings in the sis-server.properties ignored after a Management Serverupgrade

Fix ID: 2693411

In previous releases, any custom settings saved to sis-server.properties, such asBulk Log Directory location would not persist after the management serverupgrades to a newer version. The only workaround was to manually restart themanagement server after it was upgraded. This was required for bringing in anycustom settings made in sis-server.properties file into effect.

The upgrade portion of the server installer has been fixed in 5.2.8 MP4, thusremoving theneedofmanually restarting theSymantecCritical SystemProtectionServer. Any customsettings to the sis-server.properties file aremaintained acrossthe server upgrade.


Affected Symantec Critical System Protection versions: Releases 5.2.0 to 5.2.8MP3


Ordering of Rules in the IDS Baseline PolicyFix ID: 2597255

In the previous releases, the ordering of the options under the System GroupChanges Option Group in the Symantec Critical System Protection WindowsBaseline detection policy was inconsistent with the other options in the policy.

TheWindowsbaseline policyhas beenupdated to display the options in the correctorder.


Affected Symantec Critical System Protection versions: Release 5.2 RU6 through5.2 RU8

Affected Symantec Critical System Protection policy: Windows Baseline policy

System deadlock or panic on Solaris Servers with Cluster softwareFix ID: 2753232


18

Theprevious releases had an issuewith the IPSdriver holding a sharedDriverLock(reader) around a blocking operation, before calling GetExecArgs. This caused adeadlock situation and forced a system restart. This issue has been fixed in 5.2.8MP4, where the shared DriverLock is unlocked before any call is made toGetExecArgs.

Affected operating systems: Solaris 9 and 10

Affected SymantecCritical SystemProtection version: Release 5.2.8MP3or earlier


When exporting directories from a highly active NFS Server, SymantecCritical System Protection IPS may cause Solaris 9 and 10 to crash

Due to a synchronization issue of the IPS driver with a highly active NFS Server,a system exporting remote shares over NFS may experience a crash on Solaris 9and 10. The issue occurs in the IPS driver when dereferencing a NULL pointer toa vnode cache entry that is used to monitor NFS server activity. This applies tosystems with heavy NFS file activity.

Workaround: You must disable IPS by using the following command:

su - sisips -c "./sisipsconfig.sh -i"

For more information on disabling IPS, see the following knowledge base article:

http://www.symantec.com/docs/HOWTO66119

Restart the system after you have disabled IPS.

The issue is now resolved in 5.2.8 MP4 for Solaris 9.

Affected operating systems: Solaris 9 and 10 with high NFS Server activity. Thisdefect applies to any environment in which Solaris 9 or 10 bundled NFS serversoftware is used directly or indirectly. For example,when loaded byVeritas ClusterServer NFSAgent.

Affected Symantec Critical System Protection versions: Release 5.2.8 MP3 orearlier


IPS Driver causes high CPU and possible system crash when a 32 bitProcess executes a command with a long parameter list on a 64-bitLinux platform

Fix ID: 2795913


http://www.symantec.com/docs/HOWTO66119

A 32-bit process executing a command with a long parameter list (>8192 bytes)on Linux with Symantec Critical System Protection IPS driver loaded (with NULLor any prevention policy) can get into an infinite loop while processing user execarguments. The process appears to spike at 100%CPU. If the systemhasmultipleCPUs, it can still handle system operations. However, the system may eventuallyhang if it is resource starved enough thus requiring a restart of the system torecover.

The issue has been addressed in the IPS driver for 5.2.8 MP4, where boundarychecks are added for command-line arguments processing.

Affected operating systems: All supported 64-bit operating systems for Red HatEnterprise Linux 5.x and SUSE Linux Enterprise Server 10



High CPU usage from processes with file operations on a large numberof files in the /tmp (tmpfs) file system

Fix ID: 2668618

Symantec Critical System Protection IPS driver requires real or absolute path ofthe files that are involved in an access check to compare against the IPS policy.The input paths in some cases may be relative paths, where the driver needs toconvert them to their absolute paths. The previous version of the IPS driveraccomplished this task by making a readdir() at each level to get the directoryentries as it builds up the full path. These calls affect the performance and areexpensive when executed on a tmpfs file systemwith a significantly high numberof files in its subdirectories, where each readdir() call returns all the directoryentries in /tmp that need to be traversed. The realpath lookupperformance impactis also associated with the chdir() call that is used by commands such as find,rm, and so on. Therefore, when any of these commands are operated on /tmpwithhigh volume of files, it causes a high CPU usage for the process running thecommand.

The issue has been resolved in 5.2.8 MP4 for Solaris 9, where the IPS driver nowmaintains an internal object that records the currentworkingdirectoryof aprocessin cwdmember for the object. This record is updated every time theprocess invokeschdir(). When the driver needs to do a realpath lookup, it uses the value of thecurrent working directory from the object member instead of invoking theexpensive readdir() call. Also, the chdir() driver hook has been enhanced toeliminate any readdir() calls for realpath lookups and replaced by using the cwdmember of the internal object.


20



Affected Symantec Critical System Protection policy: UNIX Prevention Policies

Known issues

SCSP Console window does not display any assets for the CustomPolicy Re-apply Policy Wizard

If you right click on a custom prevention policy and choose the Reapply Policymenu to bring up the Reapply Policy Wizard, it comes up with a blank windowwhere it should display the assets the policy was previously applied to. The issueiswith the SQLquery that retrieves the list of assets the policy is currently appliedto.


Affected Symantec Critical System Protection versions: Release 5.2.6 through5.2.8 MP3

21Release 5.2.8 MP4Known issues

Release 5.2.8 MP4Known issues

22

Release 5.2.8 MP3



■ Resolved issues

■ Known issues



Support for IPSSupport for IDSPlatform

YesYesSolaris 10 U10

YesYesRed Hat Enterprise Linux 5.7/5.8

-YesSolaris 11

About copying alertsSymantec Critical System Protection Copy Alerts function lets you create copiesof alerts. For example, if there are existing alerts with complex filters and youwant to create another alert with similar filters and some additional filters, youcan copy an existing alert and add the required filter to it instead of creating analert from the start.

The copied alert appears in the formatCopyof_Alertname. For example, a copiedalert for an existing alert named ALERT1 would appear as Copy of_ALERT1.

2Chapter

Creating copies of alertTo create copies of alert

1 Log on to the management console.

2 Click the Monitors tab.

3 Click Alerts.

4 In the AlertsConfiguration pane, right-click an alert and select CopyAlert.

Kill any process with Symantec Critical System Protection newdetection policy

ThisWindows detection policy attempts to kill any process that acts as an injecteeor an injector. The Kill_Prevention_PSET policy is used in combination with theprevention policies. When Kill_Prevention_PSET policy is applied to an agent,all processes routed to thread_injectee_nopriv_ps or thread_injector_nopriv_psare killed by using the taskkill.exe application.

Note: The processes are routed to thread_injectee_nopriv_ps orthread_injector_nopriv_psPSETsonlywhenyouapply the IPSpolicy andconfigurethe policy to detect thread injection. By default, the thread injection is enabled inthe core, strict, and limited execution prevention policies.

Following are the Kill_Prevention_PSET policy options:

The prevention policy applies this option only when it finds thatthe unauthorized code is injected into a specific process.

Kill all thread injecteeprocesses

The prevention policy applies this option only when it finds thatthe process has injected the code into another process against thepolicy restrictions.

Kill all thread injectorprocesses

It kills any process that is routed to it.

To enable this option, check Show advanced options.

Kill New Processes in aSpecific PSET

Tightened thread injection rules in the Windows policiesSymantec Critical System Protection has tightened the injection rule. Now, ondetection of thread injection, it blocks the whole injectee process instead ofblocking the injectee thread.

Symantec Critical System Protection now provides additional option to confinethe injected process. To enable this option:


24

1 Edit any Windows prevention policy.

2 Under Settings > Global Policy Options > Additional parameter Settings,check If a thread injection is detected , confine the injected process to a NoPrivilege PSET.

Option added in the template policies to record certain number ofevents generated in a specified time interval

Symantec Critical System Protection enables you to record the number of eventsgenerated for a specific time interval. For example, you can track the number oflogon failures for a specific time interval. You can enable the Number of Eventsin an Interval option in the Windows and Unix template policies. Once you haveenabled this option, the logon failure information is captured in the customapplication log file.

Resolved issues

SISIDSRegDrv.sys blue screen errorOn Windows systems with Symantec Critical System Protection installed, youexperienced blue screen errorwhenyou configured the detectionpolicy tomonitorregistry changes. This issue is uncommon, but it can occur with the out-of-boxWindowsBaselineDetectionpolicy or anyother detectionpolicy that you configureto monitor the registry values. The Windows agent software has been updated tofix this issue.


Affected Symantec Critical System Protection versions: Release 5.2.8 and earlier


Policy updatedESX protection policy (revision 198) was released with Symantec Critical SystemProtection version 5.2 RU7 MP3. An older version of the ESX protection policy(revision number 192) was erroneously included in 5.2 RU8 and later releases. Anupdated version of the ESX protection policy (revision number 199) is includedin this release.

Affected operating systems: ESX 4.X

Affected Symantec Critical SystemProtection versions: Release 5.2 RU8, 5.2 RU8MP2


Affected Symantec Critical System Protection policy: ESX protection policy

Windows system performance degradation with circular directorysymbolic links

Fix ID: 2773303

There is degradation in system performance for Symantec Critical SystemProtection installed on the Windows operating systems. This issue occurs if youconfigure the Symantec Critical SystemProtection tomonitor files and directoriesby using either an IPS driver (even with a null policy) or Real-Time File IntegrityMonitoring on a system that has directory symbolic links referencing in a circularmanner. The Windows agent software has been updated to fix this issue.

Affected operating systems: Windows 2008/2003/XP(32-bit and 64-bit)



Updated monitored file lists in the Unix Baseline policyIn the Unix Baseline Detection policy, the List of Core System Files is updated toinclude correct files and directories in the monitored file list. Also, the ignore listis updated to contain only the subset of monitored file list.

Affected operating systems: Linux and UNIX operating systems

Affected Symantec Critical System Protection versions: Release 5.2 RU7, 5.2RU8

Affected Symantec Critical System Protection policy: Unix Baseline Detectionpolicy

Continuous system restart or system startup failureWhen you enable the prevention features on Windows systems with SymantecCritical System Protection installed, creation of symbolic registry links is highlyrestricted. Since the Windows prevention policy does not provide control ofregistry symbolic link creation explicitly, it is possible to configure the preventionpolicy in such a way that it can unintentionally deny legitimate registry symboliclinks during the system startup. In this case, the system would not bootsuccessfully or can fail with a blue screen error based on the processes that wereaffected. The Windows prevention policy has been updated to allow creation ofregistry symbolic links for registry resources that are writable.




26

AffectedSymantecCritical SystemProtectionpolicy:Windowspreventionpolicies

Incorrect processing of alert filter with wildcardWhen you use an alert filter operator Not Contain with the wildcard character *in an alert filter configuration to generate email alerts, incorrect filtering occurredwith unexpected results. This issue is fixed now.

Affected operating systems: All operating systems



Incorrect parameter label in the Baseline detection policyIn the previous versions, Symantec Critical System ProtectionWindows Baselinedetectionpolicy contained incorrect labels forEventID(s) fields andweredisplayedin the detection policy editor dialog and console.

TheWindows baseline policy has been updated to display correct labelEventID(s)in the detection policy editor dialog and console.


Affected Symantec Critical System Protection versions: Release 5.2 RU6 through5.2 RU8

Affected Symantec Critical System Protection policy: Windows Baseline policy

Silent installation works as expectedWhena command line or anunattended installation fails on theWindowsplatformdue to incorrect parameters, it also fails to remove the temporary folders used bythe installer. Once this failure occurs, subsequent installation also fails until thetemporary folders are removedmanually. TheWindows Installer has beenupdatedto remove the temporary folders upon installation failures to allow successfulinstallations.





Support for optional modifier reference in a network ruleIn the previous versions, if an optional modifier was used in a network rule andif the parameter was undefined or defined but empty, the prevention policyapplication failed with policy translation error.

Symantec Critical System Protection now lets you add an optional modifierreference (- ) in a network rule. For example, you can add the optional modifierreference (-) in a network rule such as %-port_list%, where the port_list is notrequired to be defined or can be empty. If the optional parameter is not present,the specific network rule is omitted during policy processing and the rest ofprevention policy content is applied.

Affected operating systems:Windows, RedHat Enterprise Linux, Suse EnterpriseLinux and Solaris


Affected Symantec Critical System Protection policy: Prevention policies

Degraded systemperformanceon systems runninga significant numberof processes while Symantec Critical System Protection agent isinstalled

When installing Symantec Critical System Protection agent on systems withprevention feature enabled, system performance degrades noticeably when thesystem has a large number of active processes. This can happen with anyprevention policy including the null policy. Symantec Critical System Protectionmaintains a data structure that contains information about all the active processesand dead processes whose children are active. For every file system access call,the Symantec Critical System Protection kernel driver traverses this list ofinformation. The traversal time of linked lists increaseswith the number of activeprocesses in the system, leading to system-wide performance degradation. Thefix replaces the linked listwith ahashed list, allowing formuchhigherperformanceduring information lookup. This fix reduces the access time to the data structureresulting in improved performance.

Affected operating systems: All supported operating systems with prevention(IPS) feature




28

Known issues

Symantec Critical System Protection does not record SU operationslogoff events

If youhave enabled the SUoperations option in theUnixBaselineDetectionpolicy,SU logoff events are not captured.


Affected Symantec Critical System Protection versions: Release 5.2.8

Affected Symantec Critical System Protection policy: UNIX Baseline Detectionpolicy

Local port parameter does not work for network outbound TCPconnection control

The use of local port to control outbound TCP network connection does not workon Windows 2003 (64-bit).

Affected operating systems: Window 2003 (64-bit)

Affected Symantec Critical System Protection versions: All versions

Affected Symantec Critical System Protection policy: All versions

29Release 5.2.8 MP3Known issues


30

Release 5.2.8 MP2



■ Resolved issues

■ Known issues



■ The Symantec Critical System Protection now supports the IDS features onthe computers that run Red Hat Enterprise Linux 6.2 operating systems.

■ The Symantec Critical System Protection now supports the IDS features onthe computers that run Red Hat Enterprise Linux 5.7 operating systems. Itdoes not load any kernel driver.

Note: If youupgrade fromRHEL5.6 toRHEL5.7with agent installed and youhaveenabled prevention, then you must uninstall the agent and reinstall the release5.2.8 MP2 agent.

3Chapter

Targeted prevention policy

About the Targeted prevention policyThe Targeted prevention policy lets you define a set of baseline controls for theentire system. For example, you can apply buffer overflowprotection to the entiresystem and no other prevention.

The Targeted prevention policy allows access to all resources by default and letsyou block access or modifications to resources that you have configured in thepolicy options. It also provides you the ability to customize the policy accordingto your need by adding custom programs in the policy.

Policy file name for Windows operating systems:sym_win_targeted_prevention_sbp

Policy filename forUNIXoperating systems:sym_unix_targeted_prevention_sbp

The Targeted prevention policy includes an SCSP self protection option. Whenthe SCSP self protection option is selected, it protects against a user or a processtampering with the Symantec Critical System Protection configuration data orprogram data.

For example, the following configuration data is protected as the write access isblocked and logged whereas the read access is blocked but not logged:

■ The Certificate files on server, console, and agent

■ The server configuration file tomcat\conf\server.xml

■ The IPS agent configuration file IPS\agent.ini

■ The IDS agent configuration file IDS\agent.ini

The following configuration data and program data is protected as read-only:

■ All files under the agent install directory

■ All files under the agent log directory

■ All Symantec Critical System Protection driver files

The following directories are protected against being renamed:

■ The agent install directory

■ The agent log directory

The Targeted prevention policy provides the following options:


32

Provides a set of global options that applies to all the processeson the system.

When you apply global options in the policy, they are appliedto all the PSETs in the policy.

Global Policyoptions

Provides a set of options to configure the Built-In PSETs.

TheWindowsTargetedpreventionpolicy contains fourbuilt-inPSETs to handle Kernel Driver controls, Remote File Accesscontrols, Symantec Critical System Protection Agent andServer controls. TheTargetedpreventionpolicy always routesthese processes to the built-in PSETs. You cannot overridethese built-in PSETs.

Built-In PSEToptions

The Targeted prevention policy routes all processes to theDefault PSET with the exception of Built-In PSETs.

You can configure all protection features in theDefault PSET.

Default PSEToptions

Define one or more custom program within the policy tooverride the security settings in the Default PSET.

Additionally, you can also define custom lists which can bereferenced elsewhere in the policy.

My CustomPrograms

Note: If you setDisable Prevention at a global level, then Symantec Critical SystemProtection disables prevention for all PSETs. You cannot enable prevention in aCustom PSET or a Default PSET.

See “How the Targeted prevention policy works” on page 33.

See “About using custom lists with the Targeted prevention policy” on page 35.

See “About using custom programs with the Targeted prevention policy”on page 34.

How the Targeted prevention policy worksThe Targeted prevention policy includes a set of Built-In PSETs to control accessto the kernel and Symantec Critical System Protection processes. You cannotoverride a Built-In PSET. However, you can configure the Built-In PSETs by usingthe policy options.

With the exception of the Built-in PSETs, the Targeted prevention policy routesall processes to the Default PSET. All protection features are configurable in theDefault PSET. However, the Default PSET can be overridden by adding a customprogram to the policy. One or more custom programs can be defined within thepolicy which will override the security settings in the Default PSET.


See “About the Targeted prevention policy” on page 32.



About using custom programs with the Targeted preventionpolicyThe Targeted prevention policy lets you create custom programs based on thefollowing templates:

Use the fully open custom program template to build-up securityprotections. By default, it has no security restrictions. All processesassigned to the fully open custom program have no default resourcerestrictiondefined.Moreover, protection features suchasbuffer overflowdetection, thread injection are also disabled.

See “Creating custom programs based on the fully open template”on page 36.

Fully opentemplate

Use the fully closed custom program template to relax securityprotections. All processes assigned to the fully closed custom programare denied access to all resources and all protection features are enabledby default. The protection features such as buffer overflow detection,thread injection are also enabled by default.

See “About using the fully closed customprogram template” onpage 34.

See “Creating custom programs based on the fully closed template”on page 38.

Fully closedtemplate



About using the fully closed custom program templateYou can use the fully closed custom program template in the following ways:

■ If you do not want a program to run at all, then you can create a fully closedcustom program and route the program to this custom program PSET.

Note: This method does allow the program to run, although the program isblocked from accessing any file, registry, or network resources.


34

■ If you want to strictly limit a program regarding the resources it can access,you can create a fully closed custom program. Youmust configure the customprogramandallowwrite access to only the resources this programneeds accessto, while allowing read access to all resources on the system.

By default, the fully closed custom program denies access to all resources andlogs all access attempts as trivial. Since, all access attempts are logged as trivial,you can enable trivial logging for this custom program to see what resources theprogram attempts to access.

Symantec recommends you to configure the customprogram to allow read accessto all resources on the system, and to only allow write access to the resources asrequired by this custom program.

To determine what resources the custom program needs write access to

1 Edit the file, registry, and process access rules in the custom program andplace a wildcard in the Read-only Resource Lists:

■ Block modifications to these files

■ Block modifications to these Registry keys

2 Enable logging of trivial policy violations in the custom program underGeneral Settings.

3 Disable prevention in the custom program.

Apply this policy to the agent, and then execute the custom program. The trivialevents generated will show what resources the program is accessing for writeaccess. You canuse these events to configure the customprogramand allowwriteaccess to the appropriate resources. Once you have determined the specificresources the program needs write access to, you can then enable the preventionin the custom program.


See “Creating custom programs based on the fully closed template” on page 38.

About using custom lists with the Targeted prevention policyThe Targeted prevention policy lets you create generic program lists and genericstring lists. You can refer to these custom lists in other parts of the policy. Youcan access these custom lists by editing the Targeted prevention policy in themanagement console.


The generic program list contains a list of programs.

In themanagement console, the generic program list appearsas set of applications to be referenced later.

Generic Programlist

The generic string list contains a list of users, groups, networkaddresses, or network ports.

In themanagement console, the generic string list appears aslist of items to be referenced later.

Generic String list



Creating custom programs based on the fully open templateThe Symantec Critical System Protection Targeted prevention policy lets youcreate custom programs based on the fully open template.

To create a custom program based on the fully open template

1 In the management console, click Prevention View.

2 On the Policies page, click the Symantec folder and then in the workspacepane, double-click sym_win_targeted_prevention_sbp.

3 In the policy editor dialog box, click My Custom Programs, and then clickNew.

4 In the New Custom Control Wizard dialog box, specify the followinginformation:

Type a descriptive name.

Example: Notepad

Display Name

SelectThisCustomProgramPSETis fullyopen, ithasnodefault security restrictions.

Category

Type a unique name that the policy uses internally. Theidentifier must not include spaces or special characters.

Example: NotepadID

Identifier

Type a full description.Description

5 Click Finish.


36

6 In the policy editor dialog box, click My Custom Programs > Notepad >Settings.

7 In the Notepad Settings pane, double-click Notepad[cust_NotepadID_ps]and do the following:

■ Check and expand This Custom Program PSET is fully open, it has nodefault security restrictions, and then click List of programs to route tothis custom PSET.

■ In the List of programs to route to this custom PSET section, click Add,and then add the following path:C:\Windows\system32\notepad.exe

■ Check Enable SCSP Self Protection.

8 In the policy editor dialog box, double-clickFileRules>Read-OnlyResourceLists and do the following:

■ Check and expand Block modifications to these files, and then click Listof files that should not be modified.

■ In the List of files that should not be modified section, click Add, andthen add the file path that you do not want to be modified. For example,test.txt.

9 Click OK and apply the policy on the agent.

10 On the agent computer, open the test.txt file and verify the following events:

PPST,655,2011-09-09 20:02:38.919 Z-0400,I,,,b3218cab450cde2dde92d225489f4ee0,e,,,WIN2K8-R2\Administrator,0,C:\Windows\system32\NOTEPAD.EXE,3844,,"& quot 1;C:\Windows\system32\NOTEPAD.EXE & quot 1

C:\temp\test.txt",create,cust_NotepadID_ps,2360,,,,C:\Windows\Explorer.EXE,,,\WINDOWS\SYSTEM32\SHLWAPI.DLL,3464,,

The Notepad.exe gettingassigned to the custompset cust_NotepadID_ps

PFIL,656,2011-09-09 20:02:38.593 Z-0400,W,,R,b3218cab450cde2dde92d225489f4ee0,e,,,WIN2K8-R2\Administrator,0,C:\Windows\system32\NOTEPAD.EXE,3844,D,

C:\temp\test.txt,NtCreateFile, cust_notepad_ps, ffffffff,c0000022,00120089,,,,00000001,\WINDOWS\SYSTEM32\KERNELBASE.DLL,3464,,

Denied File Access Eventwhen the test.txt isaccessed by usingnotepad



See “Creating custom programs based on the fully closed template” on page 38.

Creating custom programs based on the fully closed templateThe Symantec Critical System Protection Targeted prevention policy lets youcreate custom programs based on the fully closed template.

To create a custom program based on the fully closed template

1 In the management console, click Prevention View.

2 On the Policies page, click the Symantec folder and then in the workspacepane, double-click sym_win_targeted_prevention_sbp.

3 In the policy editor dialog box, click My Custom Programs, and then clickNew.

4 In the New Custom Control Wizard dialog box, specify the followinginformation:

Type a descriptive name.

Example: Services

Display Name

Select This Custom Program PSET is fully closed and locked down bydefault.

Category

Type a name that the policy uses internally.

Example: Services

Identifier

Type a full description.Description

5 Click Finish.

6 In the policy editor dialog box, check Services[cust_Services_ps], and do thefollowing:

■ Check and expand ThisCustomProgramis fullyclosedandlockeddownbydefault, and then click List ofprograms to route to this customPSET.

■ In the List of programs to route to this custom PSET section, click Add,add the following path:C:\Windows\system32\tlntsvr.exe

■ Check Child processes remain in this custom PSET.

■ Check Enable Buffer Overflow Protection.


38

■ Check Enable Thread Injection Detection.

7 Click OK and apply the policy on the agent.

8 Open the log file from the following path:

C:\ProgramFile(x86)\Symantec\Critical SystemProtection\Agent\IPS\scsplog

9 Verify that tlntsvr.exe is routed to the definedCustomPSET, cust_Services_psand remaining processes are routed to the Default PSET.

See “Creating custom programs based on the fully open template” on page 36.

See “About using the fully closed custom program template” on page 34.


About the duplicate agent registration settingsYou can disable the registration of duplicate agents with themanagement server.By default, Symantec Critical SystemProtection lets you register duplicate agentsbased on some common attributes such as IP address, agent name, and so on.WhenSymantecCritical SystemProtection recognizes aduplicate agent, it updatesthe existing agent record in the database with the new agent data and flags theagent for policies and configs.

SymantecCritical SystemProtection evaluates the uniqueness of each agent basedon the following attributes:

■ Primary attributes

■ Agent name

■ Host name

■ IP address

■ Secondary attributes

■ Domain name

■ Operating system type

See “Disabling duplicate agent registration” on page 39.

Disabling duplicate agent registrationSymantec Critical System Protection enables you to prevent registration ofduplicate agents.


To disable duplicate agent registration

1 In the management console, click Prevention View or Detection View.

2 Click Admin.

3 Click System Settings.

4 Click Agent settings.

5 Check Detect Duplicate Agent Registration.

6 Check attributes under Primary Agent Attributes for Duplicate AgentIdentification and Secondary Agent Attributes for Duplicate AgentIdentification.

You must select at least one primary attribute.

7 Click Save.

See “About the duplicate agent registration settings” on page 39.

Resolved issues

Systems with heavy network load experienced higher CPU usageThe issue that caused the Active Directory servers to carry heavy network load,experience 100 percent CPU utilization caused by Symantec Critical SystemProtection sisidsservice and network driver, is fixed now.




The System_Failed_Access_Status policy now records the login failurefor batch job

Initially, the System_Failed_Access_Status policy did not record event 529 withLogon type: 4, which occurs when you specify invalid credentials for creating abatch job. Now, the policy is updated to record the batch job login failures.



AffectedSymantecCriticalSystemProtectionpolicy: System_Failed_Access_Status,Windows Baseline policy


40

Root level failed telnet logon is now recorded by Symantec CriticalSystem Protection

Symantec Critical SystemProtectionnow records the failed root logon event setupby Kerberos telnet. The Unix Baseline policy and the agent are updated to recordthe failed root logons.

Affected operating systems: All Linux and UNIX operating systems

Affected Symantec Critical System Protection versions: All versions of SymantecCritical System Protection

Affected Symantec Critical System Protection policy: Unix Baseline policy

The continuous file change alerts do not occur when you upgrade theSymantec Critical System Protection 5.2.6 MP2 agent to any new agentversion

The issue that caused continuous file change alerts when you updated the 5.2.6MP2 agent to any new agent version is fixed now.


Affected Symantec Critical System Protection versions: Release 5.2 RU8


The Windows_template_policy allowed adding identical value andcomment entries in the filewatch list

In the previous version, youwere able to add identical value and comment entriesin the filewatch list. Now, if you try to add identical value and comment entries,an error message appears.

Affected operating systems: All supported operating systems for the SymantecCritical System Protection console


Affected Symantec Critical System Protection policy: Windows_template_policy

Symantec Critical System Protection detection service start or restarttriggered excessive filewatch events

In the previous version, if you started or restarted Symantec Critical SystemProtection detection service that resulted into incorrect filewatch events being


found. Now when you perform Symantec Critical System Protection detectionservice start or restart, no incorrect filewatch events generate.


Affected Symantec Critical System Protection versions: Release 5.2 RU8


Blue screen error no longer occursThe issue that caused a blue screen error to occur in Windows Server (withAnywhereUSBproduct installed)with Symantec Critical SystemProtection agentinstalled has been fixed.




Symantec Critical System Protection policies now retain the policyvalues after export and import

When you export a policy, its default parameters are exported in theoption-settings.sbp file. When you import a policy, the Parameter values inoption-settings.sbp and those in the compiled policy settings are merged. Hence,when amerged parameter fromoption-settings.sbpmatches a parameter alreadyin the compiled policy, the parameter from the compiled policy is overwritten.

Now, when you import the policy, the Import option deletes the matchingparameter in compiled policy settings resulting in policy values retention duringexport and import.




User Name information for Windows Event Log events no longer appearblank

The Event Viewer now displays the User Name information for Windows EventLog events correctly for User and Group Change Monitor rule.



42



Windows Detection Policy now provides the flexibility to add date andtime restrictions to each rule in System Audit Tampering

In the previous version, you were able to add the date and time restrictions inSystem Audit Tampering globally. Now, the Windows Baseline policy is updatedto let you add date and time restrictions to individual rule under System AuditTampering. This allows granularity in case youwant to specify different date andtime values for different rules. For example, if you do not want Symantec CriticalSystem Protection to alert when security events from Windows Event Viewer arecleared during a specific time period, you can enable the date time restrictionunder Security Log Events Deleted. Now, this date time restriction won't affectother rules under System Audit Tampering.



AffectedSymantecCritical SystemProtectionpolicy:Windows_Baseline_Detection

Timeout dialog box now displays the console name it is connected toIn the previous versions, when multiple consoles were connected to differentmanagement servers with timeout console feature activated for all consoles, itwas difficult to identify which timeout dialog box was associated with whichconsole. Now, the timeout dialog box title displays the console name it is associatedto.




Symantec Critical System Protection now displays the correct countof registered agents in the System Summary query result

In the previous version, if you run the System Summary query, the TotalRegistered Agents count and Count by OS field appeared blank. Now, this issueis fixed and Symantec Critical System Protection displays the correct count ofregistered agents and agents count based on their specific operating system.





Known issues

Cannot use an optional user name reference in a network ruleIf any optional field in a network rule is undefined or defined but empty, the entirerule is removed from the policy for that agent. For example, if a rule referencesan optional list for remote IP address and an optional list for remote port, and ifthe remote IP list is defined but the remote port list is not defined, then the rulewill be removed.

The workaround for this issue is to add an asterisk (*) in the Program path fieldin the rule. This causes the user name field to be obeyed.



Successful FTP logons by root are not recorded by Symantec CriticalSystem Protection

Symantec Critical System Protection does not record the successful FTP logonsby root. The successful FTP logon information is maintained in the syslog file.

The workaround for this issue involves you to manually find the FTP logoninformation in the /var/syslog file. Youmust configure the VSFTPD service to logthe FTP connection information in the syslog file.

Affected operating systems: RHEL 6.1(64-bit)



44

Release 5.2.8 MP1



What's new in release 5.2.8 MP1This release contains the following notable features:

■ IDS support for AIX 7.1

■ Real-time file integrity monitoring on AIX 5.3 and 6.1

IDS features

AIX 7.1 supportThe Symantec Critical System Protection now supports the IDS features oncomputers that run AIX 7.1 operating systems.

The Unix Baseline Detection policy provides you all the IDS features on AIX 7.1operating system. For example, file monitoring in polling mode, logon or logoffand failed logon monitoring, user or group configuration monitoring etc.

Note: Real-time file integrity monitoring and IPS are currently not supported onAIX 7.1.

Real-time file integrity monitoring for AIXThe Real-time file integrity monitoring is supported on the following versions ofAIX operating system:

■ AIX 6.1

4Chapter

■ AIX 5.3 (64-bit kernel)

Each time you change the policies, Symantec Critical System Protection agentdecides whether to use real-time file integrity monitoring or more traditionalpoling-based file integrity monitoring.

You use the real-time file integrity monitoring to monitor all files except for thefollowing:

■ File systems that aremounted from remote servers. For example, NFS or SMBfile systems exported by remote systems and mounted on the AIX system.If any policymonitors the files on the remote file systems, then those files aremonitored by using polling-based file integrity monitoring.

■ Portions of local file systems that have been exported via NFS.TheSymantecCritical SystemProtection agent uses the ‘exportfs –v’ commandto determine what is being exported. All directories exported via NFS aremonitored using polling-based file integrity monitoring. Rest of the portionof the local file systems aremonitoredusing real-time file integritymonitoring.

Note: The Symantec Critical System Protection agent executes the ‘exportfs –v’command only when the IDS daemon starts or when new detection policies areapplied to the system. If the system administrator modifies the list of exportswhen the system is running, the Symantec Critical System Protection agent willnot notice the change. The administrator shouldmanually restart the IDSdaemonafter making any changes to the exported NFS configuration to ensure theSymantec Critical System Protection agent is using the updated information.


46

Release 5.2 RU8


■ What's new in release 5.2.RU8

■ Additional release information

■ What you need to know before you install or upgrade your software

■ Legal Notice

What's new in release 5.2.RU8

IDS and IPS features

Additional platform and feature supportThe 5.2.RU8 release adds support for the following platforms:

■ TheSymantec Critical SystemProtection agent now supports the IDS featureson computers that runRedHat Enterprise Linux 6.0 and 6.1 operating systems(64-bit only).

■ The Symantec Critical System Protection agent now supports both the IDSfeatures and the IPS features on computers that run SUSE Linux EnterpriseServer 10 SP4.

■ The Symantec Critical System Protection manager, console, and agent (bothfor IDS and IPS) now run on computers that runWindows Server 2008R2 SP1.

■ Theuse of an optional user in a policy,whichwasmade available for computersthat run Linux and AIX in release 5.2 RU7, is now supported on computersthat run Windows and Solaris.

5Chapter

User and group names in policy options can be marked as optional. If thetranslator cannot look up the user or group, it is omitted from the policy ratherthan resulting in a translation error.You enter an optional user name or group name in prevention policies byadding a dash (-) before the user name or group name. For example, youwoulduse -administrator tomake the administrator user nameoptional. In this case,the policy is applied even if the user name is not available in the system. If youuse administrator (with no dash) instead, the presence of the administratorname is mandatory, and the policy fails to apply if it is not available. Thissyntax can be used even if the user names or group names are in environmentvariables or registry keys.

Note:This feature is implemented in the agent, so it is only available on Solariswhen you use release 5.2 RU8 and later agents.

■ Many of the IDS and IPS policy enhancements included in previous releasesfor other operating systems are now available on computers that run Solarisoperating systems.

The agent for computers that run Solaris 9 and 10 now includes the following IDSand IPS policy enhancement support:

■ UNIX Baseline Detection policy

■ The following IDS file integrity monitoring features:

■ SHA-256 hashing

■ File hash checking on every update

■ Text log monitoring supports Unicode


■ Custom IPS PoliciesYou can now define custom program definitions in a separate policy. Thisfeature provides flexibility in sharing those definitions among several groupsof assets and in combining themwith other custompolicies or base preventionpolicies.

■ IPS option consistencyOptions that let you specify a file and a process that can use that file areavailable in all resource lists in the IPS policy.

Release 5.2 RU8What's new in release 5.2.RU8

48

■ IPS translator options

■ Wildcards and netmasks in IP addresses

■ Local subnet translator functions


Note: Real-time file integrity monitoring is not currently supported on Solaris.

Support for syslog-ngSymantec Critical System Protection now supports syslog-ng on computers thatrun Solaris 9 and 10 operating systems.

Configuring syslog-ng and rsyslog for usewith theSymantecCritical SystemProtection IDS agent

TheSymantecCritical SystemProtection IDSagent supports the syslogd, syslog-ng,and rsyslog system logging daemons. The standardUNIX system logging daemonshould work without any additional user configuration.

If syslog-ng and rsyslog were installed with their configuration and their startscripts in nonstandard locations, then you may need to perform additionalconfiguration steps to get the Symantec Critical System Protection IDS agent towork properly with them. We provide the following information about theSymantec Critical System Protection IDS agent's assumptions regarding thesystem logging daemon so that you can adjust your configuration to conform tothese assumptions.

For the latest information on this topic, see the following URL:

Additional configuration stepsmay be required for the Symantec Critical SystemProtection IDSAgent toworkproperlywith syslog-ng and rsyslog loggingdaemons

About system logging daemon selection

You can explicitly configure the Symantec Critical System Protection IDS agenttomake use of a particular logging system. You can use Syslog Daemon key in theSystem Collector section of the LocalAgent.ini file for this purpose. Any changesto this setting do not take effect until the sisidssaemon is restarted.

The relevant section of the LocalAgent.ini file is as follows:

49Release 5.2 RU8What's new in release 5.2.RU8

http://clientui-kb.symantec.com/kb/index?page=content&id=HOWTO54685

http://clientui-kb.symantec.com/kb/index?page=content&id=HOWTO54685

[Syslog Collector]

#Syslog Daemon=DEFAULT

The valid values for the Syslog Daemon key are as follows:

■ DEFAULT

■ SYSLOGD

■ SYSLOGNG

■ RSYSLOGD

When you specify any value other than DEFAULT, the Symantec Critical SystemProtection IDS agent attempts to configure and make use of that type of systemlogger. The installed logger must conform to the assumptions that are outlinedin the following topics:

See “About system logging daemon configuration” on page 50.

See “About the system logging daemon script ” on page 51.

If the Symantec Critical System Protection IDS agent fails to configure and startthe system logger that is specified in the LocalAgent.ini file, or if a system loggertype is not explicitly specified, then the IDS agent attempts to detect the loggingdaemon in use by querying the running process list and looking for the processnames in the following order:

■ syslogd

■ syslog-ng

■ rsyslogd

If the IDS agent does not find one of those processes, it then attempts to start thelogging daemons in the following order:

■ syslogd

■ syslog-ng

■ rsyslogd

See “About the system logging daemon script ” on page 51.

About system logging daemon configuration

The Symantec Critical System Protection IDS agent assumes that the systemlogging daemon configuration files are in the following locations:

■ syslogd: /etc/syslog.conf

■ syslog-ng: /etc/syslog-ng/syslog-ng.conf

■ rsyslogd: /etc/rsyslog.conf


50

If the configuration files are not located at their assumed locations, then youmustcreate a symlink from the assumed path to the actual path. For example, on RHEL5.4, syslog-ng installs its configuration at /usr/local/etc/syslog-ng.conf, but it canbe located anywhere, depending upon the build configuration options that wereused when the package was created. For example, you might use the following tocreate a link:

ln -s /etc/syslog-ng.conf /usr/local/etc/syslog-ng.conf

About the system logging daemon script

TheSymantecCritical SystemProtection IDSagent uses the following commandsto start the system logging daemons:

On Linux/Solaris 9:

■ syslogd: /etc/init.d/syslog start

■ syslog-ng: /etc/init.d/syslog start

■ rsyslogd: /etc/init.d/rsyslog start

On Solaris 10:

■ syslogd: /usr/sbin/svcadm enable svc:/system/system-log

■ syslog-ng: /usr/sbin/svcadm enable svc:/system/system-log

■ rsyslogd: /usr/sbin/svcadm enable svc:/network/rsyslog

On HP-UX:

■ syslogd: /sbin/init.d/syslogd start

■ syslog-ng: /sbin/init.d/syslog-ng start

■ rsyslogd: /sbin/init.d/rsyslogd start

On AIX:

■ syslogd: /usr/bin/startsrc -s syslogd

■ syslog-ng: /usr/bin/startsrc -s syslog-ng

■ rsyslogd: /usr/bin/startsrc -s rsyslogd

On Tru-64:

syslogd: /usr/sbin/syslogd -e

Configuring syslog-ng to work with Symantec Critical System Protectionon Solaris 10

The Symantec Critical System Protection agent requires the configuration file tobe located at /etc/syslog-ng/syslog-ng.conf. It also requires that the SMF service


namebe the sameas syslogd: svc:/system/system-log. If youneed touse an existingconfiguration, you should symlink it.

For information about creating a symlink to an existing configuration, see step 2

If syslog-ng is already set up with different SMF configuration names, you mustrename them to system-log.

Note: You must start the syslog-ng daemon in background process mode ratherthan the default foregroundmode. Starting it in foregroundmodemakes it appearthat two instances are running. The Symantec Critical System Protection agentis not able to monitor if two instances are running. You should add the--process-mode=background line to the syslog-ng startup script.

Before performing the following procedure, you should already have downloadedand installed all syslog-ng packages and any software on which it depends fromsunfreeware.com.

To configure syslog-ng toworkwith Symantec Critical SystemProtection on Solaris10

1 Create the /etc/syslog-ng directory. For example, you can use the followingcommands:

cd /etc

mkdir /etc/syslog-ng

chmod 755 /etc/syslog-ng

chown root:sys /etc/syslog-ng

2 Depending on your configuration, perform one of the following tasks:

■ If you use the default configuration file that is provided by the SMCsyslngpackage, then copy configuration file into /etc/syslog-ng. For example,you can use the following commands:cp /usr/local/doc/syslogng/doc/examples/syslog-ng.conf.solaris

/etc/syslog-ng/syslog-ng.conf

chmod 644 /etc/syslog-ng/syslog-ng.conf && chown root:sys


■ If you used an existing configuration, then create a symlink to the existingconfiguration file, /etc/syslog-ng.conf. For example, you can use thefollowing command:ln -s /etc/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf


52

3 Check the correctness of the configuration by using the following command:

/usr/local/sbin/syslog-ng -v -s -f /etc/syslog-ng/syslog-ng.conf

Note: If you get the following error fromsyslog-ng: Conversion fromcharacterset '646' to 'UTF-8' is not supported, then create or add the following line tothe /usr/local/lib/charset.alias file:

646 ISO-8859-1

4 Disable syslogd and remove the original syslogd SMF service manifest fromthe database. For example, you can use the following commands:

svcadm disable svc: /system/system-log

svccfg

svc:> delete system-log*

svc:> quit

5 Save a copy of the original syslogd SMF manifest and method files. Forexample, you can use the following commands:

cp /lib/svc/method/system-log /lib/svc/method/system-log.orig

cp /var/svc/manifest/system/system-log.xml

/var/svc/manifest/system/system-log.xml.orig

6 Copy or modify the syslog-ng service manifest and method files to thefollowing locations:

■ /var/svc/manifest/system/system-log.xml

■ /lib/svc/method/system-log

If you use the manifest files and method files that are provided with theSMCsyslng package, then you need to change the following options:

■ the service name

■ the method file name

■ the daemon

Following are example diffs of the changes that you need to make:

# diff /usr/local/doc/syslogng/contrib/solaris-packaging/

syslog-ng.example.xml /var/svc/manifest/system/system-log.xml

7c7

< name='system/syslog-ng'


---

> name='system/system-log'

68c68

< exec='/lib/svc/method/syslog-ng %m'

---

> exec='/lib/svc/method/system-log %m'

78c78


---


88c88


---


# diff /usr/local/doc/syslogng/contrib/solaris-packaging/

syslog-ng.method

/lib/svc/method/system-log

12c12

< SYSLOGNG_PREFIX=/opt/syslog-ng

---

> SYSLOGNG_PREFIX=/usr/local

14,15c14,15

< CONFFILE=$SYSLOGNG_PREFIX/etc/syslog-ng.conf

< PIDFILE=$SYSLOGNG_PREFIX/var/run/syslog-ng.pid

---

> CONFFILE=/etc/syslog-ng/syslog-ng.conf

> PIDFILE=/var/run/syslog-ng.pid

18c18

< OPTIONS=

---

> OPTIONS="-f $CONFFILE -p $PIDFILE --process-mode=background"

27c27

< ${SYSLOGNG} --syntax-only

---

> ${SYSLOGNG} -f $CONFFILE --syntax-only


54

7 Validate and import the syslog-ng SMFmanifest, and then enable the service.For example, you can use the following commands:

svccfg

svc:> validate /var/svc/manifest/system/system-log.xml

svc:> import /var/svc/manifest/system/system-log.xml

svc:> quit

svcadm -v enable system-log

8 Verify that only one instance of syslog-ng is running and that it matches thePIDFILE, /var/run/syslog-ng.pid. If syslog-ng is not running, check the SMFsvc log, /var/svc/log/system-system-log\:default.log by using the followingcommand:

ps -ef |grep syslog-ng

9 Send a test message to syslog-ng by using the logger command:

logger -p daemon.crit syslog-ng test

Check the tail of the /var/adm/messages file. It should contain a line similarto the following line:

Oct 27 15:16:40 local@scsp-sol10 root: [ID 702911 daemon.crit]

syslog-ng test


Configuring Symantec Critical System Protection to work with syslog-ngon Solaris 10

To configure Symantec Critical SystemProtection toworkwith syslog-ng on Solaris10

1 Stop theSymantecCritical SystemProtection IDSagent byusing the followingcommand:

/etc/init.d/sisidsagent stop

2 Switch to use syslog-ng in the IDS LocalAgent.ini file by editing the/opt/Symantec/scspagent/IDS/system/LocalAgent.ini file.

In the [Syslog Collector] section, switch Syslog Daemon from DEFAULT toSYSLOGNG. Make very sure that the Syslog NG Source option is correct foryour configuration. For example, the [Syslog Collector] section should looksimilar to this:

[Syslog Collector]

#Derive Virtual Agents=0

Syslog Daemon=SYSLOGNG

Syslog NG Source=local # name in the config for internal and

/dev/log sources (aka 'src' or 's_sys', etc)

#Syslog NG Filter=scsp_filter

Note: Be sure that you remove the comment marker (#) when you change thevalue.

3 Start theSymantecCritical SystemProtection IDSagent byusing the followingcommand:

/etc/init.d/sisidsagent start

4 Verify that the following lineswere added to the /etc/syslog-ng/syslog-ng.conffile:

# The following is required for Symantec Host IDS - Do not edit

or remove

destination scsp_dest { pipe("/opt/Symantec/scspagent/IDS/system

/ids_syslog.pipe" group(sisips) perm(0600)); };

filter scsp_filter { level(info..emerg) and not ( facility(mail)

and level(debug..warn) ); };

log { source(local); filter(scsp_filter); destination(scsp_dest); };

5 Generate some syslog messages, for example log on and log out with theappropriate policy applied. Verify that an event is generated as expected.


56

Configuring syslog-ng to work with Symantec Critical System Protectionon Solaris 8 and Solaris 9

For Solaris 8 and Solaris 9, the Symantec Critical System Protection IDS agentrequires that the configuration file be /etc/syslog-ng/syslog-ng.conf, and thestartup script be /etc/init.d/syslog. If you have already set up syslog-ng withdifferent startup or configuration scripts, make sure that there are symlinkspointing to the existing startup and configuration files.


Before performing the following procedure, you should already have downloadedand installed all syslog-ng packages and any software on which it depends fromsunfreeware.com.

To configure syslog-ng toworkwith Symantec Critical SystemProtection on Solaris8 and Solaris 9


cd /etc



chown root:sys /etc/syslog-ng

2 Perform one of the following tasks:

■ If you use the default configuration file provided by the SMCsyslngpackage, copy the configuration file into /etc/syslog-ng by using thefollowing commands:cp /usr/local/doc/syslogng/doc/examples/syslog-ng.conf.solaris


chmod 644 /etc/syslog-ng/syslog-ng.conf && chown root:sys


■ If you use an existing configuration, create a symlink to the existingconfiguration file, /etc/syslog-ng.conf, by using the following command:ln -s /etc/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf


3 Check the correctness of the configuration by using the following command:

/usr/local/sbin/syslog-ng -v -s -f /etc/syslog-ng/syslog-ng.conf

4 Copy the startup script into /etc/init.d and modify it by using the followingcommands:

cp /etc/init.d/syslog /etc/init.d/syslog.orig

cp /usr/local/doc/syslogng/contrib/init.d.solaris

/etc/init.d/syslog

chmod 744 /etc/init.d/syslog && chown root:sys /etc/init.d/syslog

5 If you use the startup script from the SMCsyslng package, you must makesome changes in the script.

Following are example diffs of the changes that you need to make:

< OPTIONS="-f /etc/syslog-ng/syslog-ng.conf"

---

> PID_FILE=/var/run/syslog-ng.pid

> CONF_FILE=/etc/syslog-ng/syslog-ng.conf

> OPTIONS="-f $CONF_FILE -p $PID_FILE --process-mode=background"

16c18

< if [ -f /etc/syslog-ng/syslog-ng.conf -a -f /usr/local/sbin

/syslog-ng ]; then

---

> if [ -f $CONF_FILE -a -f $DAEMON ]; then

28c30

< $DAEMON $OPTIONS -p /etc/syslog-ng/syslog-ng.pid

---

> $DAEMON $OPTIONS

33,35c35,37

< if [ -f /etc/syslog-ng/syslog-ng.pid ]; then

< syspid=`/usr/bin/cat /etc/syslog-ng/syslog-ng.pid`

< [ "$syspid" -gt 0 ] && kill -15 $syspid && rm

/etc/syslog-ng/syslog-ng.pid

---

> if [ -f $PID_FILE ]; then

> syspid=`/usr/bin/cat $PID_FILE`

> [ "$syspid" -gt 0 ] && kill -15 $syspid && rm -f $PID_FILE

6 Shut down the syslogd process by using the following command:

/etc/init.d/syslog.orig stop


58

7 Start syslogd-ng by using the following command:

/etc/init.d/syslog start

8 Verify that only one instance of syslog-ng is running and that it matches thePID in the /etc/syslog-ng/syslog-ng.pid file by using the following command:

ps -ef |grep syslog-ng

9 Send a test message by using the following command:

logger -p daemon.crit syslog-ng test

Check tail of the /var/adm/messages file. It should contain an entry that issimilar to the following line:

Oct 28 12:08:30 local@scsp-sol9 root: [ID 702911 daemon.crit]

syslog-ng test

Configuring Symantec Critical System Protection to work with syslog-ngon Solaris 8 and Solaris 9

To configure Symantec Critical SystemProtection toworkwith syslog-ng on Solaris8 and Solaris 9





[Syslog Collector]












or remove

destination scsp_dest { pipe("/opt/Symantec/scspagent/IDS/system/

ids_syslog.pipe" group(sisips) perm(0600)); };



log { source(local); filter(scsp_filter); destination(scsp_dest); };

5 Generate some syslog messages, for example, log on and log out with theappropriate policy applied. Verify that an event is generated as expected.

Configuring syslog-ng 3.x toworkwith Symantec Critical SystemProtectionon RHEL 5.4

TheSymantecCritical SystemProtection IDSagent requires that the configurationfile be /etc/syslog-ng/syslog-ng.conf, and the startup script be /etc/init.d/syslog.If youhave already set up syslog-ngwith different startup or configuration scripts,make sure that there are symlinks pointing to the existing startup andconfiguration files.


Before performing the following procedure, you should already have downloadedand installed all syslog-ng packages and any software on which it depends fromwww.balabit.com. For example, you might use the following URL:

http://www.balabit.com/downloads/files?path=/syslog-ng/sources/3.2.4/setups/linux-glibc2.3.6-i386


60

To configure syslog-ng to work with Symantec Critical System Protection on RHEL5.4


cd /etc



chown root:root /etc/syslog-ng

2 Create a symlink to the existing configuration file,/opt/syslog-ng/etc/syslog-ng.conf, by using the following command:

ln -s /opt/syslog-ng/etc/syslog-ng.conf


3 Rename the legacy syslog startup script and rename the syslog-ng startupscript by using the following commands:

mv /etc/init.d/syslog /etc/init.d/syslog.orig

chmod -x /etc/init.d/syslog.orig

mv /etc/init.d/syslog-ng /etc/init.d/syslog

4 Edit the /etc/init.d/syslog startup script to add the --process-mode switch tothe SYSLOGNG_OPTION. For example, it should look similar to the followingtext:

case "$OS" in

Linux)

SYSLOGNG_OPTIONS="--no-caps --process-mode=background"

;;

esac






[Syslog Collector]











or remove

destination scsp_dest { pipe("/opt/Symantec/scspagent/IDS/system/

ids_syslog.pipe" group(sisips) perm(0600)); };



log { source(s_local); filter(scsp_filter); destination(scsp_dest); };

9 Generate some syslog messages, for example, log on and log out with theappropriate policy applied. Verify that an event is generated as expected.

You can now make user and group names optional in policiesUsers can enter an optional user name or group name in a policy by adding a dash(-) before the user name or group name. The policy is then applied even if the username or group name is not available on the system. If the name is not optional,and name is not available on the system, then the policy is not applied.


62

IPS features

Optional user names and group names in IPS policiesThis featurewas available in release 5.2 RU7 andnow is available for all supportedoperating systems.

You can now enter an optional user name or group name in prevention policiesby adding a dash (-) before the user name or group name. For example, you woulduse -administrator to make the administrator user name optional. In this case,the policy is applied even if the user name is not available in the system. If youuse administrator (with no dash) instead, the presence of the administrator nameis mandatory, and the policy fails to apply if it is not available. This syntax canbe used even if the user names or group names are in environment variables orregistry keys.

Note: This feature is implemented in the agent, so it is only available when youuse release 5.2 RU7 and later agents.

Logging of privilege escalation to superuser or a different userThe UNIX Prevention policy now logs the original user ID for users who escalatetheir privileges to root or a user with different privileges. This new feature isavailable on all supported AIX, Red Hat Enterprise Linux, and SUSE Linuxplatforms.

Now, when UNIX or Linux users use the su command to escalate to superuserprivilege, this escalation is logged with the users' original login IDs. Users cannowbemonitored andheld accountable for their actionswhile they have differentprivileges.

Root accountabilityBefore release 5.2 RU8, there was no simple way to monitor users who escalatedtheir privileges to root. If multiple users simultaneously su'ed to root, their rootactionswere logged, but you couldnot connect a particular log entry to a particularuser's non-root user ID.

In all prevention events that contain user name information, Symantec CriticalSystem Protection now records the immediately previous user name in additionto the current user name. Now, when UNIX or Linux users use the su commandto escalate to superuser privilege, this escalation is loggedwith the users' originallogin IDs. Users can now be monitored and held accountable for their actionswhile they have different privileges.


The “immediately previous user name” is the effective user name at the time ofthe setid call. Symantec Critical System Protection does not record the effectiveuser name and real user name of the process after the setid call, since the realuser name is generally set to be the same as the effective user name, even afteran su.

Note:Symantec Critical SystemProtection records only the immediately previoususer name. It does not record an arbitrary chain of user names.

The root accountability feature is available only on UNIX or Linux operatingsystems that support Symantec Critical System Protection Intrusion Prevention(IPS).

For a simple scenario, such as the case where an administrator logs onto acomputer and switches to user1, Symantec Critical SystemProtection now showsthe full picture. The logs of the administrator’s activity while logged on as user1show both the user1 name and the administrator name in the events.

For chained suuse cases aswhere an administrator logs onto a computer, switchesto user1, and then switches to user2, Symantec Critical System Protection nowshows part of the picture. Activity while the administrator is logged on as user2shows the user2 name and user1 name, but does not record the administratorname in the logs for these events.

Event data

The previous user name data is recorded as an additional field in all existingUNIX-relatedprevention events. The followingpossibilities exist for this additionalfield:

■ It can be empty. An empty field means that the process has never had a username different from the current one.

■ It can have a single user name. A single user namemeans that the process hashad only one other user name than the current one.

■ It can have two user names. Two user names means that the process has hadat least two different user names before the current one.

In the Comma Separated Value (CSV) files stored on the agents, the previous username data appears in field 30 of the event. In the example events shown, theprevious user name is in the last field of each entry.

PPST,17213,2011-04-06 01:29:22.000 Z-

0700,I,,G,073adb47013fc4e3cf7d7d37300a4df3,,,,jeff,0,/bin/ps,12797,,

ps -elf --forest,exec,int_rootpriv_ps,12614,,,,/bin/bash,,,,0,,,root


64

PFIL,17297,2011-04-06 01:30:49.000 Z-

0700,W,,GR,073adb47013fc4e3cf7d7d37300a4df3,e,,,jeff,0,/bin/touch,12845,A,

/home/jeff/file.noaccess,open,int_rootpriv_ps,00000000,00000000,0000000a,

,,,00000000,,0,,,root

In the Symantec Critical System Protection console, the previous user name dataappears as an additional field in the Details section of the display.

SOURCE

Agent Name gbvm-rhel5

Host Name gbvm-rhel5

Host IP Address 10.180.246.110

User Name jeff

Agent Version 5.2.8.76

OS Type Linux

OS Version 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39

EDT 2010 (x86_64)

Agent Type CSP Native Agent

EVENT

Event Type File Access

Event Category Real Time - Prevention

Operation open

Event Severity Warning

Event Priority 45

Event Date 05-Apr-2011 18:30:49 PDT

Post Date 05-Apr-2011 18:35:00 PDT

Post Delay 00:04:11

Event Count 1

Event ID 2744180

DETAILS

Description File Write Allowed for touch on

/home/jeff/file.noaccess

Policy Name policy_unix_5.2.8

Process /bin/touch

File Name /home/jeff/file.noaccess

Agent State Prevention Globally Disabled

Disposition Allow

Process Set int_rootpriv_ps


Operation open

OS Result 00000000 (SUCCESS)

SCSP Result 00000000 (SUCCESS)

Permissions Requested 0000000a (write, create)

Process ID 12845

Thread ID 0

Previous User Names root

About multiple previous usernames

Some events record two previous user names in the data. When this occurs, theuser names are separated by a colon and the most immediately previous username is listed first. For example, consider an event that contains the followinguser name information:

User Name root

Previous User Names jeff:root

The following information applies to this event:

■ The process’s current effective user name is root. This name is located in theUser Name field.

■ The current process came fromaprocess thatmost recently had the user namejeff. jeff is the first user name listed in the Previous User Names field.

■ Prior to being jeff, the process ancestry had a process with the user nameroot. root is the second user name listed in the Previous User Names field.

At times the second user name listed in thePreviousUserNames field is not veryrelevant. It can be the user name of the daemon that created the login shell or ofthe su command. At other times it can be relevant. It can be the user name of ansu session or login session the human user was in before becoming the currentuser name.

Examples

User jeff logs on

In this scenario, once user jeff logs in, events display the Previous User Nameof root, which reflects the root user from the sshd parent process. In this scenario,the previous user name, root, is not particularly relevant because the personlogging in never had a root shell. The following examples show the CSV events.

Process assignment event when sshd changes user to jeff:


66

PPST,16898,2011-04-06 01:24:20.000 Z-

0700,I,,G,073adb47013fc4e3cf7d7d37300a4df3,,,,jeff,0,/usr/sbin/sshd,

12613,,sshd: jeff [priv],setid,int_gateway_ps,12611,,,,/usr/sbin/sshd

,,,,0,,,root

Process assignment event showing a ps command, along with command linearguments, run by user jeff:

PPST,17213,2011-04-06 01:29:22.000 Z-

0700,I,,G,073adb47013fc4e3cf7d7d37300a4df3,,,,jeff,0,/bin/ps,12797,,

ps -elf --forest,exec,int_rootpriv_ps,12614,,,,/bin/bash,,,,0,,,root

File access event shows user jeff attempting to open a file:

PFIL,17297,2011-04-06 01:30:49.000 Z-

0700,W,,GR,073adb47013fc4e3cf7d7d37300a4df3,e,,,jeff,0,/bin/touch,1

2845,A,/home/jeff/file.noaccess,open,int_rootpriv_ps,

00000000,00000000,0000000a,,,,00000000,,0,,,root

All three events show the current user name as jeff and the previous user nameas root.

The following text show how the same file access event displays on the console.

SOURCE




User Name jeff


OS Type Linux


EDT 2010 (x86_64)


EVENT



Operation open


Event Priority 45




Post Delay 00:04:11

Event Count 1

Event ID 2744180

DETAILS

Description File Write Allowed for touch on



Process /bin/touch



Disposition Allow


Operation open



Permissions Requested 0000000a (write, create)

Process ID 12845

Thread ID 0

Previous User Names root

User jeff su's to root

When user jeff su’s to root, the previous user name data shows the current username of the process as root, and the previous user name data has both jeff androot:

■ jeff is the immediately previous user name, reflecting the fact that jefflogged in to the system.

■ root is the user name before jeff, and reflects the sshd process user name.

The following examples show the CSV events.

Process assignment event when the su program changes user from jeff to root.Note that the previous user name data at the end of the event now showsjeff:root, indicating that the user name jeff is the immediately previous username.

PPST,17520,2011-04-06 01:33:05.000 Z-0700,I,,G,

073adb47013fc4e3cf7d7d37300a4df3,,,,root,0,/bin/su,12959,

,su,setid,int_rootpriv_ps,12955,,,,/bin/su,,,,0,,,jeff:root


68

Process assignment event showing a ps commandwith command line arguments,run by root. You can compare this with the event for the same ps command runpreviously by jeff.

PPST,17604,2011-04-06 01:34:04.000

Z-0700,I,,G,073adb47013fc4e3cf7d7d37300a4df3,,,,root,0,/bin/ps,13008,

,ps -elf --forest,exec,int_rootpriv_ps,12959,,,,/bin/bash,,,,0,,,jeff:root

File access event showing root attempting to open a file.

PFIL,17544,2011-04-06 01:33:07.000 Z-0700,W,,GR,

073adb47013fc4e3cf7d7d37300a4df3,e,,,root,0,/bin/ls,12973,A,

/home/jeff/file.noaccess,lstat,int_rootpriv_ps,00000000,00000000,

00004000,,,,00000000,,0,,,jeff:root


SOURCE




User Name root


OS Type Linux


EDT 2010 (x86_64)


EVENT



Operation lstat


Event Priority 45



Post Delay 00:04:12

Event Count 1

Event ID 2744185

DETAILS


Description File Read Allowed for ls on



Process /bin/ls



Disposition Allow


Operation lstat



Permissions Requested 00004000 (stat)

Process ID 12973

Thread ID 0

Previous User Names jeff:root

User jeff logs on and then su's to bob

The initial stage of this scenario is identical to the first scenario where user jeffsimply logs on. Refer to the first example for the events related to the first stage.

See “User jeff logs on” on page 66.

The second stage of this scenario shows user jeff su'ing directly to user bob. Thefollowing example events represent the second stage of this scenario.

Note: The Previous User Names field lists root, and then jeff. The root username reflects the su program being run by jeff. su is a setuid root program, andthus the root user name is inserted into the Previous User Names field. Thisbehavior is the same on Solaris and Linux operating systems, but is not the sameon AIX operating systems.

In this scenario, the first previous user name is not very relevant, since it onlyindicates that the su program itself momentarily became root in order toaccomplish the identity change to bob. Contrast thiswith the final scenariowhereuser jeff logs on, su's to root, and then su's to become user bob.


Process assignment event when the su program changes user from jeff to bob:

PPST,35165,2011-04-06 06:54:22.000 Z-0700,I,,G,

073adb47013fc4e3cf7d7d37300a4df3,,,,bob,0,/bin/ps,23239,


70

,ps -elf --forest,exec,int_rootpriv_ps,23221,,,,

/bin/bash,,,,0,,,root:jeff

File access event showing bob attempting to open a file:

PFIL,35421,2011-04-06 06:58:32.000 Z-0700,W,,GR,

073adb47013fc4e3cf7d7d37300a4df3,e,,,bob,0,/bin/ls,23385,A,

/home/jeff/file.noaccess,stat,int_rootpriv_ps,fffffff3,00000000,

00004000,,,,00000000,,0,,,root:jeff

User jeff logs on, su's to root, and then su's to bob

The first stage of the use case is for jeff to su to root and get a root shell. Theexample shows running the ps command in the root shell. This is identical to UseCase 1a above.

The second stage of the user case is running the su command again, from the rootshell, to become the user bob.

Compare the two events below for the user bobwith the corresponding two eventsfrom the previous scenario where user jeff logs on and then su's to bob. You seethat the events look identical. Specifically, the previous user name data in bothsets of events is the same. The fact that in the previous scenario where user jefflogs on and then su's to bob, therewasno root shell involvedwhile in this scenariothere was a root shell involved is not apparent from the single events shown. Todetermine whether a root shell was involved in getting to the bob login session,you have to look at the full sequence of process assignment events.


Process assignment event showing a ps command, along with command linearguments, run by user root:

PPST,35641,2011-04-06 07:01:46.000 Z-0700,I,,G,

073adb47013fc4e3cf7d7d37300a4df3,,,,root,0,/bin/ps,23504,

,ps -elf --forest,exec,int_rootpriv_ps,23490,,,,/bin/bash

,,,,0,,,jeff:root

Process assignment event showing a ps command, along with command linearguments, run by bob. See that the previous user name info has pushed jeff tothe second most recent user name, with root being the most recent user name:

PPST,36046,2011-04-06 07:08:10.000 Z-0700,I,,G,

073adb47013fc4e3cf7d7d37300a4df3,,,,bob,0,/bin/ps,23733,

,ps -elf --forest,exec,int_rootpriv_ps,23697,,,,/bin/bash

,,,,0,,,root:jeff


File access event showing user bob attempting to open a file:

PFIL,36076,2011-04-06 07:08:44.000 Z-0700,W,,GR,

073adb47013fc4e3cf7d7d37300a4df3,e,,,bob,0,/bin/ls,2375

0,A,/home/jeff/file.noaccess,stat,int_rootpriv_ps,fffffff3,

00000000,00004000,,,,00000000,,0,,,root:jeff


SOURCE




User Name bob


OS Type Linux


EDT 2010 (x86_64)


EVENT



Operation stat


Event Priority 45



Post Delay 00:04:14

Event Count 1

Event ID 2744212

DETAILS

Description File Read Allowed for ls on



Process /bin/ls



Disposition Allow



72

Operation stat



Permissions Requested 00004000 (stat)

Process ID 23750

Thread ID 0

Previous User Names root:jeff

Child processes of custom applications can be assigned toanother custom application process setThe initial implementation of the custom program feature assigned the childprocesses of a custom program to its parent process set. Now when you define acustom program, any processes that the custom application launches can bereassigned to other custom application process sets that were defined in anothercustom program.

Importing a file list

Syntax for using variables, registry values, and function calls

References to variables, registry values, and function calls cannot be nested, sincenesting can result in ambiguous strings. For instance, in%myvarpart1%insidevar%myvarpart2%, it is not clear whether the secondpercent sign ends the first variable reference or begins a nested reference.

Table 5-1

SyntaxType

%[modifier]parameter%Simple parameter

%[modifier]parameter:field%Compound parameter

%[modifier]shortcut%Shortcut

%[modifier]environmentvariable%Environment variable

%%[modifier][redirectionspec]registrypath%%Registry value

%?[modifier]function(parameters)?%Function

Variables

TheVariables that you can use are parameters, compound parameters, shortcuts,and environment variables. A compound parameter contains an added sequence


to identify a field. If more than one type of variable exists with the same name,the software uses the first one that exists from the following ordered list:

■ Parameter

■ Shortcut

■ Environment variable

Simple parameter

A parameter is a variable defined by a parameter element in a policy. A simpleparameter has one list of values; a compound parameter has a set of lists. Thesoftware replaces the parameter reference with the values or values. Parameternames are case sensitive.

Compound parameter

A compound parameter is also a variable defined by a parameter element. Butinstead of one list, it contains a list of sets of values. Each set contains assignmentsfor one or more fields. For example, a compound parameter may contain valuesfor fields such as prog, cmdline, id, and value. For each type of parameter list,there is a specific set of fields that can be used. For a compound parameter, youmust prefix field names with a colon. For example, you might use%myparameter:prog%. Parameter and field name are case sensitive.

In most instances, compound parameter references are optional. The exceptionsto this rule are as follows:

■ The value attribute anywhere other than in a <newproc>

■ The value attribute inside a <newproc> if the element has a type attributewith a value of prog

■ The prog attribute inside an <overflow> section

Shortcut

A shortcut is a type of variable where the value is typically listed in theshortcuts.txt file in theSymantecCritical SystemProtectionbindirectory. Shortcutnames are case sensitive on UNIX, and case insensitive on Windows.

Environment variable

You can use an operating system environment variable as a variable in a policy.Environment variable names follow the operating system’s normal conventionsfor case sensitivity, so they are case sensitive on UNIX and case insensitive onWindows.


74

Registry value

For registry references, the software looks up the given value in the registry andreplaces the reference with the data that the value contains. The data must beone of the following types:

■ REG_SZ (string)

■ REG_EXPAND_SZ (stringwith environment variables that should be expanded)

■ REG_MULTI_SZ (list of strings)

■ REG_DWORD (32-bit integer)

■ REG_QWORD (64-bit integer)

The software expands an environment variable's REG_EXPAND_SZ valuesimmediately, before it processes the resulting string. For REG_MULTI_SZ values,the reference expands to the list of strings.

On 64-bit versions of Windows, you can prefix registry paths with an optionalredirection specification. This redirection specification specifies how registryredirection should be used when looking up the path. The valid redirectionspecifications are as follows:

■ 32:

■ 64:

■ 6432:

■ 3264:

For the values of 64: and 32:, redirection is turned off or on to give a 64-bitprogram’s view of the registry or a 32-bit program’s view, respectively. For 6432:and 3264:, the lookup is tried with both redirection off and with redirection on.6432: looks in the 64-bit view of the registry first, and then if that fails, looks inthe 32-bit view. The value 3264: looks in the 32-bit view of the registry first.

Function

A function reference provides a way to call an extension function from within apolicy. The software replaces the function reference with the return value or listof return values of the function. Extension functions are defined in Windows dllsor in the UNIX shared objects that are located in the IPS/extensions directoryunder the agent installation root directory.


Note: In a function reference such as%?function(parameters)?%, the parametersmay contain any characters, even special characters, except that youmust escapea close parenthesis ( ) ). The function parameters are not processed, so if theycontain a reference themselves, the text of the reference is passed to the function.For example, %myvar% is passed rather than myvar's value after evaluation.However, if a function’s return value contains a reference, the reference issubsequently evaluated.

Importing a file listSymantec Critical System Protection now provides a new policy function,ImportFileList, that can reference a text file on the agent and import strings fromthat file into the policy. You can use the new function anywhere in the policy thatyou can enter strings, for example, anywhere you can enter file paths, registrypaths, user names, and so on. When the policy is applied to an agent, the agentthen retrieves a list of strings from the referenced file and substitutes them intothe parameter in the policy.

This feature is available on all supported platforms.

The following guidelines apply:

■ You can use any string in the file that you can enter into a parameter value inthe console.For example, a file can contain strings such as file paths, Windows registryentries, user names, group names, or IP addresses.

■ Only one string must appear on each line of the file.

■ You can use Unicode or ASCII file format.

■ Each file must contain no more than 100 lines. If the number of lines exceeds100, then Symantec Critical System Protection returns an error and the file isnot used in the policy.

■ Begin the import file function with a percent question mark (%?) and end itwith a question mark percent (?%). An example that imports a file list that isnamed privuserlist.txt is %?ImportFileList(c:\mydir\privuserlist.txt)?%

■ A file can be made optional by adding a dash (-) after the prefix and before thefunction. An example that imports an optional file list that is namedprivuserlist.txt is %?-ImportFileList(c:\mydir\privuserlist.txt)?%When optional, the policy is still applied even if the file is not available on thesystem.

■ Place the file on the computer that runs the Symantec Critical SystemProtection agent.The file is read at the time that the policy is applied.


76

Importing a list of strings into a policy from a file

To import a list of strings into a policy from a file

1 Open policy in the console.

2 Open the parameter that you want to populate from a list of strings in a file.

3 Type the following input into the parameter field:

■ To populate a parameter where the policy is not applied if the file isavailable on the system:%?ImportFileList(filepath)?%

■ To populate a parameter where the policy is still applied even if the fileis not available on the system:%?-ImportFileList(filepath)?%

Note: The filepath variable is mandatory.

Additional release information

Logging of previous user ID to track privilege escalation on IPS eventsSymantec Critical System Protection now provides root accountability. It logs auser's previous UID as well as the current UID for each logged IPS event.

See “Root accountability ” on page 63.

Use of Tomcat 5.5.33Symantec Critical System Protection now uses Apache Tomcat version 5.5.33.

Restart requiredWhen theSymantecCritical SystemProtectionprevention feature is enabled, youmust restart all Windows agent computers after an installation or upgrade. As ofrelease 5.2 RU6, when Real-time File Integrity Monitoring became available, allWindows agents must be restarted after an installation or upgrade, even if theSymantec Critical System Protection prevention feature is not enabled. A restartis required so that theReal TimeFile IntegrityMonitoring featureworks properlyfor all Windows agents. This feature is enabled by default on all supportedWindows operating systems.

Operating systems affected: Windows, all supported versions

77Release 5.2 RU8Additional release information

You must upgrade Solaris x86 agents before you upgrade yourSymantec Critical System Protection management servers to release5.2 RU8

Solaris x86 5.2 RU7 and older agents cannot communicate at all with the 5.2 RU8management server. You must upgrade all Solaris x86 agents to 5.2 RU8 beforeyou upgrade your management server to 5.2 RU8.

Note: This issue affects only the Solaris x86 agents; there is no issue with SolarisSPARC agents or agents on any other operating system.

Microsoft SQL Server 2000 is no longer supportedAs of release 5.2 RU6, you can no longer use Microsoft SQL Server 2000 as thedatabase for Symantec Critical System Protection. If you upgrade Microsoft SQLServer 2000 to a later version, you must ensure that the database compatibilitylevel of the SCSPDB database is set to level 80 or higher.

To check or modify the SCSDB compatibility level

1 Open the SQL Server Management Studio.

2 Use the sa user name to log in to the Microsoft SQL Server database.

3 Under Databases, right-click SCSPDB, and then select Properties>Options> Select Compatibility level.

4 Check the compatibility level. If it is lower than 80, change it to be 80 orhigher.

Build ID version numbers are now synchronizedThe version numbers of the individual components in this Symantec CriticalSystem Protection release are now the same for all components. The versionnumber is updated regardless of whether the component was changed for therelease.

Note: HP-UX is the exception. The individual component version numbers forHP-UX in this release have been updated only if the component was changed forthe release.

Release 5.2 RU8Additional release information

78

What you need to know before you install or upgradeyour software

The Symantec Critical System Protection Implementation Guide contains detailedinformation about how to install the Symantec Critical System Protectioncomponents. If you are installing for the first-time, you should install, configure,and test Symantec Critical System Protection in a test environment.

For the latest andmost complete information about the release and known issuesand workarounds, refer to the readme file that accompanies this release.

For informationaboutSymantecCritical SystemProtection features andplatforms,see the Platform and FeatureMatrix located in the docs folder on the product discthat contains this release.

Table 5-2 Overview of an installation

DescriptionActionStep

When planning your installation, you may need to consider the following:

■ Network architecture and policy distribution

■ Firewalls

■ Name resolution

■ IP routing

Plan the installation1

All the computers on which you install Symantec Critical System Protectionshould meet or exceed the recommended operating system and hardwarerequirements.

Review the systemrequirements

2

You can install the management console and management server on the samecomputer or on separate computers. You can install agents on any computer.All computers must run a supported operating system.

Decide on thecomputers to install thesoftware components

3

79Release 5.2 RU8What you need to know before you install or upgrade your software

Table 5-2 Overview of an installation (continued)


You can install the following management server installation types:

■ An evaluation installation that runs SQL Server 2005 Express on the localsystem

■ An evaluation installation that uses an existing MS SQL instance on SQLServer 2005 or newer version. Upgrades fromany previousMSSQL instanceversions are not supported. If you have evaluation installation with olderMS SQL instance, upgrade it to SQL Server 2005 or newer version and beginthe management server installation.

■ A production installation with Tomcat and the database schema.

The Symantec Critical System Protection Manager supports Microsoft SQLServer 2005 and all newer versions. If you use an existing MS SQL instancein production installation, the database instance must be on MS SQL Server2005ornewerversion.Upgrades fromanypreviousMSSQL instanceversionsare not supported.

■ The Tomcat component only

Decide on themanagement serverinstallation type

4

The installation packages unpack installation files into the directory that isspecified by the TEMP environment variable. The volume that contains thisdirectory must have at least 200 MB of available disk space. If this volume doesnot have the required disk space, you must change your TEMP environmentvariable.

Configure the TEMPenvironment variable

5

You begin the installation by installing the management server.

Management server installationpromptsyou to enter a series of values consistingof port numbers, user names, passwords, and so on. Each database that you caninstall uses different default settings and options for the management serverand database.

Install themanagementserver

6

Install the management console after you install the management server.

The management console installation also installs the authoring environment.

Themanagement console installationdoesnot promptyou to enter port numbersor server names. You enter this information after installation, when youconfigure the management console.

Install themanagementconsole

7

Management console configuration prompts you to enter a series of valuesconsisting of port numbers, passwords, and a server name. In a few instances,the port numbers must match the port numbers that were specified duringmanagement server installation.

Configure themanagement console

8

Release 5.2 RU8What you need to know before you install or upgrade your software

80

Table 5-2 Overview of an installation (continued)


Install the agents after you install themanagement server, and after you installand configure the management console.

The agent installation prompts you to enter a series of agent values consistingof port numbers, management server name, etc.

Install the agents9

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks ofSymantec Corporation or its affiliates in theU.S. and other countries. Other namesmay be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec isrequired to provide attribution to the third party (“Third Party Programs”). Someof the Third Party Programs are available under open source or free softwarelicenses. The License Agreement accompanying the Software does not alter anyrights or obligations you may have under those open source or free softwarelicenses. Please see the Third Party Legal Notice Appendix to this Documentationor TPIP ReadMe File accompanying this Symantec product for more informationon the Third Party Programs.

The product described in this document is distributed under licenses restrictingits use, copying, distribution, and decompilation/reverse engineering. No part ofthis documentmay be reproduced in any formby anymeanswithout priorwrittenauthorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANYIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSEORNON-INFRINGEMENT,AREDISCLAIMED,EXCEPTTOTHEEXTENTTHAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOTBE LIABLE FOR INCIDENTALORCONSEQUENTIALDAMAGES IN CONNECTIONWITHTHE FURNISHING, PERFORMANCE, ORUSEOF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THISDOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

TheLicensedSoftware andDocumentationaredeemed tobe commercial computersoftware as defined in FAR 12.212 and subject to restricted rights as defined inFAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" andDFARS 227.7202, "Rights in Commercial Computer Software or CommercialComputer SoftwareDocumentation", as applicable, and any successor regulations.

81Release 5.2 RU8Legal Notice

Any use, modification, reproduction release, performance, display or disclosureof the Licensed Software and Documentation by the U.S. Government shall besolely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

Release 5.2 RU8Legal Notice

82

http://www.symantec.com

Release Notes for Symantec Critical System Protection...

Documents

Transcript of Release Notes for Symantec Critical System Protection...